Proxama Blog

Mobile Authentication

Authentication for remote banking and online payments is becoming an increasingly hot topic within the finance sector. Banks are looking to decrease customer reliance on branches by improving the experience of internet, mobile and telephone banking, however fraud is becoming ever more sophisticated and targeted. This article explores how mobile is being seen as key to the future our personal banking security.    

The last 12-18 months project work has shown that there is growing interest in mobile from the banking sector, not only as a channel for banking and payments, but also as an authentication device. 

Most banks now have at least three remote banking services; internet, mobile (e.g. Mobile Money) and telephony. Fuelled by the economic downturn, there is a high level strategic drive to make these more user friendly and secure, to drive down customer reliance on bank branches and human interaction. 

E-banking is by far the most widely used of these, and is constantly under threat from fraudsters dreaming up ever more sophisticated attacks. One in particular, the so-called Man-in-the-Browser attack, involves a Trojan installed within the browser code – undetectable by anti-virus or spyware scanners – which records your credentials as you type them in, and can display back false information. For example, if you try to set up a new payee online, you may be asked for a special password, or to input an authentication token from your CAP reader; the Trojan can capture the token and your credentials, allowing the fraudsters to set up a fraudulent payee at a later date.  

One way to combat this type of fraud is Out-of-Band Authentication; the customer is required to authenticate themselves over a different channel (or band) to the one they are using for access. For example, to complete the set up of a new payee on your pc, you may be asked to text a partial password from your registered mobile handset, to complete the transaction. Although there remains a risk that both your handset and laptop are compromised, the probability of your mobile being seized by the same fraudsters who hijacked your browser, is low. Also, handset theft is usually discovered and dealt with quickly, unlike an infected browser. 

The mobile can also host more secure authentication applications on the SIM or MicroSD card, where the customer enters a PIN code to generate a token, much like the CAP readers that many banks have in circulation currently. SIM-based solutions require operator buy-in, and are therefore limited to customers from a particular operator that the bank has partnered with. MicroSD solutions enable the bank to issue applications on a branded memory card, and control the experience independently of the operator. This approach also avoids the potentially cumbersome download and installation process associated with  Java applications. 

As mobile phones get smarter however, they are capable of accessing all remote banking services; browser based e-banking, m-banking, and of course telephony. New vulnerabilities will inevitably emerge in mobile browsers, but out-of-band solutions will be impractical if not impossible.

NFC is a key enabler in the mobile payments and authentication space, allowing interaction between cards and phones. A swift tap of your debit card to your handset, followed by PIN entry, can prove to your bank that you are who you say you are, and your registered card and phone are in use. This can be strengthened to three-factor authentication with the addition of voice identification; a feature that is gaining traction in smart-phones, now forming the main focus of Apple’s iPhone 3GS adverts. 

Whilst our phones can (and will) do all these wonderful things and more, there is still unease among the banking community about the insecurity of the handset as a whole. Typically, keystrokes on your mobile go through anything up to 7 API’s, which could be intercepted by malicious software relatively easily. In other words, it’s not a certified banking PIN pad, which could impede roll out. Although, adding a few extra digits to the PIN and renaming it to “pass-code” might just be ok. It remains to be seen who will take the first cautious steps into this business, and when.  

Tagged with

0 Comments. Posted by Steve 28 August 2009

Share this post